Title: Inference Cost Attacks for Retrieval-Augmented Large Language Models

Abstract: While Retrieval-Augmented Generation (RAG) systems significantly enhance Large Language Models (LLMs), they incur substantial inference expenses due to a complex, multi-stage pipeline that dynamically fetches and integrates data from external repositories. This elevated operational expenditure creates a significant security gap, rendering these systems susceptible to Inference Cost Attacks (ICAs). However, current ICAs frequently depend on the unrealistic premise of direct prompt manipulation. We contend that a more viable and dangerous threat vector involves contaminating external knowledge bases, such as internet-based repositories. To address this, we present the Retrieval-Augmented Inference Cost Attack (RA-ICA), a new adversarial framework designed to exploit the computational overhead of RAG-enhanced LLMs by introducing malicious documents into the external corpus. We implement this attack through Computational Resource Exhaustion via External Poisoning (CREEP), a framework that utilizes LLM agents to automatically generate malicious documents. These documents are engineered to be semantically relevant for retrieval while simultaneously triggering an anomalous spike in token usage during inference. To maximize the efficacy of this approach, we developed Memory-Augmented Group Relative Policy Optimization (MA-GRPO), a novel reinforcement learning algorithm. This algorithm fine-tunes the agents by leveraging a dynamic memory of historically successful adversarial documents. Our extensive experiments, conducted across three real-world datasets, reveal that RA-ICA can escalate token consumption by as much as 13.12 times with a success rate exceeding 90%, all while maintaining the integrity of the generated responses.

Source: arXiv Generated at: 2026-06-03 00:00:00 UTC